Yes, it's certainly reasonable. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility. Again, what's this contract worth to you and your employer?
–
EEAASep 30 '11 at 15:43

14

its incorrect to assume Linux cant get viruses, they do, its just exceptionally rare compared to something like Windows
–
anthonysomersetSep 30 '11 at 15:44

21

@mailq - No offense, but that's one of the most stupid ideas I've heard in quite a while. If a regulation says antivirus must be installed, the intent there is that it's running as well. If you think you'd be able to slip through an audit without it running, you're deluding yourself.
–
EEAASep 30 '11 at 15:47

9

Who said linux can't get a virus? That's completely false and not true. It's like saying a Mac computer can't get a virus. Just install ClamAV, it's pretty lightweight and shouldn't even notice it's there.
–
MattSep 30 '11 at 17:23

6

I'm -1'ing you for being so naive you think Linux can't catch a virus. You're fighting to not install antivirus, and as such you don't deserve this (or any) contract from paying customers. If you came and told me this, I'd laugh your ass out of the building as well. Then I'd go and find another company that actually cares about their customers security.
–
Ben PilbrowOct 1 '11 at 15:19

5 Answers
5

Yes, it's certainly a reasonable request. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility.

You need to weigh the ramifications (annoyance factor, possible performance issues, maintenance overhead) of running AV with the value of this contract. If one company is listing AV as a requirement, it's likely that others will do the same in the future. If you're already running it, you'll be well-positioned to win their business.

+1 - There is an elegant argument to be made about Antivirus software causing MORE TROUBLE on unix systems, and how compensating controls (that's a term that makes auditors squeal with delight) are in place that make AV unnecessary. There is an equally elegant argument about why unix mail servers should be running some kind of AV (scanning the mail that passes through them) to help protect the recipients' workstations.
–
voretaq7♦Sep 30 '11 at 16:14

4

Right - especially if your "compensating controls" consist of something like Tripwire and vigorous review of its results; audits of running software, etc.
–
mfinniSep 30 '11 at 16:34

I seem to remember when we went through the PCI thing that AIDE actually counted as anti-virus software. It does depend on what your server does and how you configure AIDE as to whether it will detect a virus or not. In any case, that phrase "compensating controls" is a good one to use.
–
LadadadadaOct 1 '11 at 15:47

The likelihood of a Linux server being infected by a virus is very very low, not zero. If that is a concern for your auditor/client/whoever, then you should understand that and determine if their business is important to you. If their business is worth more than the CPU cycles and disk I/O that it will take to scan, then you should install the AV. If it is not, then you should explain this to your customer and ask them to bring their contract elsewhere.

It's not an unreasonable claim, especially if this server is hosting up files to Windows clients. By installing ClamAV (or whatever) you are protecting those Windows clients that conenct to your server.

Even if it does, two heads are better than one if you have the resources.
–
MDMarraSep 30 '11 at 16:25

1

Does running a virus scan reduce the risk of being infected?
–
johanvdwSep 30 '11 at 17:29

7

As someone who has been on shared hosting servers where peoples' Wordpress or phpBB holes led to my own unrelated accounts getting compromised and serving up malware and spam to random visitors, I wish more people actually realized that just because Linux's design makes it inherently more secure doesn't make it even remotely close to immune to massive problems.
–
fluffySep 30 '11 at 21:04

3

@curiousguy I absolutely agree with you that a virus scanner is extra surface area that, while potentially mitigating some risks, creates new risks. The point that you seem to be making, and correct me if I'm wrong, is that the security benefits from running a virus scanner don't outweigh the risks. Some virus scans are as simple as a cryptographic hash against a file - not a ton of risk there. On something like an SMTP server doing spam filtering, you'd have a hard time making the assertion that the risk to the server running the filter outweighs the benefit.
–
Shane Madden♦Oct 9 '11 at 18:07

If you're talking about the self-replicating binaries that float around Windows networks then sure, the probability of Linux getting one of these is very very low.

If we're talking about the broader subject of malicious software, then Linux is anything but immune. Unpatched and poorly configured Linux servers are exploited all the time and turned into bot herders, or used for other nefarious purposes. To pretend that these threats don't exist is burying ones proverbial head in the sand.

I have never run antivirus software on a Linux server as I like to think that regular patching and sane configuration will protect my servers from 99.99% of threats. However I'd certainly consider it in this case, provided the software was actually able to detect the kind of malicious software that affects Linux servers and wasn't a simple port of a Windows AV suite.

"put the terms "virus" in context." Indeed. If they cannot even spell-out the many specific types of malicious softwares (some distinctions are not always clear, such the boundary between virus and worm, but the distinction between self-replicating and non propagating malware is IMO essential)... to me it means they are repeating buzzwords or phrases they heard ("must have AV installed").
–
curiousguyOct 2 '11 at 0:12

It wouldn't do any harm to install an AV package, epecially as it could mean the difference between gaining and a losing a contract.

Maybe more than an AV package you need to consider a rootkit detection suite, and CRON a scan to run at regular intervals. Be prepared for false positives also - some suites are more prone to false-positives than others, and until you get used to these anomalies it can be disconcerting.

Ask them to define exactly the concept of "anti-virus". What kind of threats are they worried about?

If they cannot answer (maybe because they really have no idea what they are talking about and are just filling a check-list), ask them a list of approved anti-virus programs.

If the requirement is just:

You shall have an AV program installed, period.

they probably have no idea what they are talking about. Just ask them what they expect you to do exactly.

If the requirement is:

You should regularly check all installed programs (binaries and scripts) for new programs, altered files, or any other sign of pathological file content.

then it means you may not need the proverbial "AV", and that a script to check the integrity of the server will be adequate, more precise, more reliable: no false positives if you know which files are modified when your server is running normally, and if you can spell out the consistency requirements of modified files.

Designing a script check the integrity, or even setting-up some existing tool so that it understand the specific of your server will necessitate additional work (AV programs are more buy-then-install-then-forget, that's probably why they are so popular). But I think that will do much more for your server security.